Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lightdiscord/talos-kms-vault

Proxy between a Talos node and a Hashicorp Vault instance to enable KMS disk encryption
https://github.com/lightdiscord/talos-kms-vault

hashicorp-vault kms talos

Last synced: about 17 hours ago
JSON representation

Proxy between a Talos node and a Hashicorp Vault instance to enable KMS disk encryption

Host: GitHub
URL: https://github.com/lightdiscord/talos-kms-vault
Owner: lightdiscord
License: mpl-2.0
Created: 2024-05-04T17:55:25.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-05-04T17:56:06.000Z (7 months ago)
Last Synced: 2024-05-04T18:42:01.752Z (7 months ago)
Topics: hashicorp-vault, kms, talos
Language: Go
Homepage:
Size: 0 Bytes
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # talos-kms-vault

Proxy between a Talos node and a Hashicorp Vault instance to enable KMS disk encryption.

This project is a proof of concept.

## Usage

The Vault client uses the environment variables to configure itself, `VAULT_ADDR` and `VAULT_TOKEN` should be used.

The token needs to use a policy that allows the `update` capability to `:transit-path/encrypt/+` and `:transit-path/decrypt/+`.

## TODOs

* Talos Node's ID seems to be a UUID, if that's always the case implement a validation on the `Seal`/`Unseal` methods.

* Dynamic vault authentication (don't use a static token and try to use the right method for the current context) 

* Maybe transform this into a Vault plugin.

## References

* KMS client and server example - https://github.com/siderolabs/kms-client